Skip to content

Use HTTPS

You can use a secured HTTPS connection either by setting up a reverse proxy or by changing parameters in Squash TM. Henix recommends that you set up a reverse proxy.

Reverse Proxy

If you want to use an HTTPS connection, Henix recommends that you use the Apache HTTPd reverse proxy that is installed on the server hosting Squash TM. Henix recommends that you use the apache server 2.4's branch with mod_proxy and mod_rewrite configured to force a HTTPS connection.

Here is an example to adapt:

<VirtualHost *:443>
    SSLEngine on
    SSLProxyEngine on
    ServerName myhost.mydomain.com
    ErrorLog ${APACHE_LOG_DIR}/myhost_error.log
    DocumentRoot /var/www
                # Possible values include: debug, info, notice, warn, error, crit,
                # alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/myhost_access.log combined
    SSLCertificateFile    /etc/ssl/my-certificate-server.crt
    SSLCertificateKeyFile /etc/ssl/private/my-private-key.key

    <IfModule mod_proxy_http.c>
        ProxyPreserveHost On
        ProxyPass /squash http://localhost:8080/squash
        ProxyPassReverse /squash http://localhost:8080/squash
    </ifModule>
</VirtualHost>

If some Squash TM URLs are still in HTTP afterwards (Requirements Workspaces, URLs in APIs or in description fields in Issues), you must force their rewriting by following the example hereunder:

<IfModule mod_rewrite.c>
    RewriteLog rewrite.log
    RewriteLogLevel 0
    <IfModule mod_ssl.c>
        <Location>
            RewriteEngine on
            RewriteCond %{HTTPS} !^on$ [NC]
            RewriteCond %{HTTP_HOST} (^.*)$ [NC]
            RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI}  [L]
        </Location>
    </IfModule>
</IfModule>

Info

If in Squash TM, a plugin that connects to a tool configured in HTTPS is installed, you must authorize HTTPS connections between the Squash TM server and the third-party-tool server. For this, save the third-party certificate in Squash TM's JVM truststore. To learn more, please visit the page Connect to a third-party tool in HTTPS.

Activate HTTPS in Squash TM without Reverse Proxy

To activate HTTPS directly in Squash TM's embedded tomcat, you must add the following information to the file conf/squash.tm.cfg.properties:

server.ssl.key-store=<keystore path>
server.ssl.key-store-password=<keystore password>
server.ssl.key-password=<certificat server password>
server.ssl.key-alias=<password>

In the file bin\startup.sh, you must enter the variable HTTP_PORT as follows:

HTTP_PORT=8443

Focus

Once this parameter is set up, the app only works in HTTPS. In other words, if the user enters http://…, the URL will not be automatically redirected.

Warning

You must create a keystore beforehand. To generate/manipulate a keystore in JKS format (Java KeyStore), you can find Java Keytool commands here.

Connect Squash TM to a PostgreSQL in SSL Mode

For Squash TM to connect in SSL mode to a PostgreSQL database, in Squash TM's startup file bin/startup, you must add ?sslmode=require at the end of the line DB_URL. This is applies no matter what installation or version you have.

DB_URL="jdbc:postgresql://localhost:5432/squashtm?sslmode=require"
DB_TYPE="postgresql"
DB_USERNAME="squash-tm"
DB_PASSWORD="password"